database/mariadb
1
0
Fork 0
mirror of https://github.com/MariaDB/server.git synced 2025-07-30 16:24:05 +03:00
Code Activity

MDEV-16266 - New command FLUSH SSL to reload server's SSL certificate(private key,CRL,etc)

Browse Source
This commit is contained in:
Vladislav Vaintroub
2018-12-11 18:23:54 +01:00
parent f570da5153
commit 19d3d3e861
13 changed files with 306 additions and 202 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
include/mysql_com.h
View File

@ -231,6 +231,7 @@ enum enum_indicator_type
#define REFRESH_DES_KEY_FILE (1ULL << 18)
#define REFRESH_USER_RESOURCES (1ULL << 19)
#define REFRESH_FOR_EXPORT (1ULL << 20) /* FLUSH TABLES ... FOR EXPORT */
#define REFRESH_SSL (1ULL << 21)
#define REFRESH_GENERIC (1ULL << 30)
#define REFRESH_FAST (1ULL << 31) /* Intern flag */

5
mysql-test/lib/generate-ssl-certs.sh
View File

@ -21,6 +21,11 @@ openssl rsa -in server-key.pem -out server-key.pem
# sign the server certificate with CA certificate
openssl ca -keyfile cakey.pem -days 7300 -batch -cert cacert.pem -policy policy_anything -out server-cert.pem -infiles demoCA/server-req.pem
# Certificate with different validity period (MDEV-7598)
openssl req -newkey rsa:1024 -keyout server-new-key.pem -out demoCA/server-new-req.pem -days 7301 -nodes -subj '/CN=server-new/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB'
openssl rsa -in server-new-key.pem -out server-new-key.pem
openssl ca -keyfile cakey.pem -days 7301 -batch -cert cacert.pem -policy policy_anything -out server-new-cert.pem -infiles demoCA/server-new-req.pem
openssl req -newkey rsa:8192 -keyout server8k-key.pem -out demoCA/server8k-req.pem -days 7300 -nodes -subj '/CN=server8k/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB'
openssl rsa -in server8k-key.pem -out server8k-key.pem
openssl ca -keyfile cakey.pem -days 7300 -batch -cert cacert.pem -policy policy_anything -out server8k-cert.pem -infiles demoCA/server8k-req.pem

26
mysql-test/main/flush_ssl.result Normal file
View File

@ -0,0 +1,26 @@
# Kill the server
connect ssl_con,localhost,root,,,,,SSL;
SELECT VARIABLE_VALUE INTO @ssl_not_after FROM INFORMATION_SCHEMA.SESSION_STATUS WHERE VARIABLE_NAME='Ssl_server_not_after';
# Use a different certificate ("Not after" certificate field changed)
FLUSH SSL;
# Check new certificate used by new connection
Result
OK
# Check that existing SSL connection still works, and uses old certificate, even if new one is loaded in FLUSH SSL
connection ssl_con;
SELECT IF(VARIABLE_VALUE=@ssl_not_after,'OK','FAIL') as Result FROM INFORMATION_SCHEMA.SESSION_STATUS WHERE VARIABLE_NAME='Ssl_server_not_after';
Result
OK
disconnect ssl_con;
connection default;
SELECT VARIABLE_NAME NAME, VARIABLE_VALUE VALUE FROM INFORMATION_SCHEMA.GLOBAL_STATUS WHERE VARIABLE_NAME in ('Ssl_accepts', 'Ssl_finished_accepts');
NAME VALUE
SSL_ACCEPTS 1
SSL_FINISHED_ACCEPTS 1
FLUSH SSL;
SELECT VARIABLE_NAME NAME, VARIABLE_VALUE VALUE FROM INFORMATION_SCHEMA.GLOBAL_STATUS WHERE VARIABLE_NAME in ('Ssl_accepts', 'Ssl_finished_accepts');
NAME VALUE
SSL_ACCEPTS 0
SSL_FINISHED_ACCEPTS 0
# Cleanup
# Kill the server

61
mysql-test/main/flush_ssl.test Normal file
View File

@ -0,0 +1,61 @@
# MDEV-16266 Reload SSL certificate
# This test reloads server SSL certs FLUSH SSL, and checks that
# 1. old SSL connections (that existed before FLUSH) still work and use old certificate
# 2. new SSL connection use new certificate
# 3. if FLUSH SSL runs into error, SSL is still functioning
# SWtatus variable Ssl_server_not_after is used to tell the old certificate from new.
source include/have_ssl_communication.inc;
# Restart server with cert. files located in temp directory
# We are going to remove / replace them within the test,
# so we can't use the ones in std_data directly.
let $ssl_cert=$MYSQLTEST_VARDIR/tmp/ssl_cert.pem;
let $ssl_key=$MYSQLTEST_VARDIR/tmp/ssl_key.pem;
copy_file $MYSQL_TEST_DIR/std_data/server-key.pem $ssl_key;
copy_file $MYSQL_TEST_DIR/std_data/server-cert.pem $ssl_cert;
let $restart_parameters=--ssl-key=$ssl_key --ssl-cert=$ssl_cert;
--source include/kill_mysqld.inc
--source include/start_mysqld.inc
connect ssl_con,localhost,root,,,,,SSL;
SELECT VARIABLE_VALUE INTO @ssl_not_after FROM INFORMATION_SCHEMA.SESSION_STATUS WHERE VARIABLE_NAME='Ssl_server_not_after';
let $ssl_not_after=`SELECT @ssl_not_after`;
remove_file $ssl_cert;
remove_file $ssl_key;
--echo # Use a different certificate ("Not after" certificate field changed)
copy_file $MYSQL_TEST_DIR/std_data/server-new-key.pem $ssl_key;
copy_file $MYSQL_TEST_DIR/std_data/server-new-cert.pem $ssl_cert;
FLUSH SSL;
--echo # Check new certificate used by new connection
exec $MYSQL --ssl -e "SELECT IF(VARIABLE_VALUE <> '$ssl_not_after', 'OK', 'FAIL') as Result FROM INFORMATION_SCHEMA.SESSION_STATUS WHERE VARIABLE_NAME='Ssl_server_not_after'";
--echo # Check that existing SSL connection still works, and uses old certificate, even if new one is loaded in FLUSH SSL
connection ssl_con;
SELECT IF(VARIABLE_VALUE=@ssl_not_after,'OK','FAIL') as Result FROM INFORMATION_SCHEMA.SESSION_STATUS WHERE VARIABLE_NAME='Ssl_server_not_after';
disconnect ssl_con;
connection default;
SELECT VARIABLE_NAME NAME, VARIABLE_VALUE VALUE FROM INFORMATION_SCHEMA.GLOBAL_STATUS WHERE VARIABLE_NAME in ('Ssl_accepts', 'Ssl_finished_accepts');
FLUSH SSL;
#Check that accepts are zeroed by FLUSH SSL.
SELECT VARIABLE_NAME NAME, VARIABLE_VALUE VALUE FROM INFORMATION_SCHEMA.GLOBAL_STATUS WHERE VARIABLE_NAME in ('Ssl_accepts', 'Ssl_finished_accepts');
--echo # Cleanup
remove_file $ssl_cert;
remove_file $ssl_key;
# restart with usuall SSL
let $restart_parameters=;
--source include/kill_mysqld.inc
--source include/start_mysqld.inc

69
mysql-test/std_data/server-new-cert.pem Normal file
View File

@ -0,0 +1,69 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 7 (0x7)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=cacert, C=FI, ST=Helsinki, L=Helsinki, O=MariaDB
Validity
Not Before: Dec 11 17:13:59 2018 GMT
Not After : Dec 7 17:13:59 2038 GMT
Subject: C=FI, ST=Helsinki, L=Helsinki, O=MariaDB, CN=server-new
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:c9:40:33:d7:fb:b7:a2:bc:4e:d4:65:27:1a:c9:
da:8b:2e:fc:a9:60:1a:69:e8:fd:e3:13:78:b6:08:
3b:3e:fd:d3:b0:d3:6c:a1:79:bd:85:ca:be:a1:0a:
4e:2a:ee:2c:8d:da:72:e6:85:56:ec:3a:7c:46:a3:
d3:18:e7:19:19:8d:14:7e:de:d2:a4:2f:22:56:1c:
21:03:24:f6:2d:55:4e:49:25:9f:32:01:94:66:47:
e4:fa:fa:45:b1:b7:33:26:da:f1:c7:29:3b:ba:fe:
e8:d4:f1:fc:29:57:6b:3a:be:ef:2e:1d:da:ef:0a:
d7:54:8d:67:00:7b:7a:29:2b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
FF:42:5E:88:AC:6A:C8:80:63:A8:AF:20:C6:BE:E8:A4:02:D5:42:AF
X509v3 Authority Key Identifier:
keyid:1C:C7:2B:AA:1B:B1:BB:2E:9A:F4:0F:B1:86:60:57:38:C2:41:05:12
Signature Algorithm: sha256WithRSAEncryption
7c:cc:c1:93:43:83:a9:ea:19:9d:1c:a1:f8:e1:c1:61:58:c0:
db:ef:43:6e:d7:cf:4d:75:38:6e:cb:03:25:5d:21:af:03:b1:
86:5f:b3:d1:e2:6f:8c:89:55:b7:82:6a:c0:d6:46:08:0c:68:
9d:ef:cc:2e:79:f5:d8:0b:f2:13:3a:52:cc:08:d5:3a:f0:d8:
5c:9e:85:a7:38:31:9d:7c:61:2b:59:ee:c0:16:a6:16:dd:80:
e2:ef:96:3d:b0:13:ec:9b:9a:91:69:3f:6c:46:87:05:55:b7:
32:85:51:da:02:c3:ac:2d:c3:5e:9a:51:f8:96:75:0b:63:29:
4e:47:47:f1:82:a6:ad:44:3d:51:b3:19:8b:ae:26:a9:15:a0:
73:b6:70:6e:4f:72:9d:69:4e:b2:9b:2a:a8:50:87:b8:9f:c0:
a7:37:0f:9e:bc:4c:80:b9:b8:47:28:8e:33:c3:7f:d7:fe:31:
f0:a9:1c:7a:f7:a3:34:21:d4:e4:53:86:a3:7e:1d:1c:a7:65:
fb:ec:f9:1f:17:1e:4f:19:f9:fe:dd:ee:53:0f:b5:98:b7:7a:
ef:12:6c:8d:32:78:66:a5:42:d7:3d:a5:09:f8:06:05:a4:ff:
bd:4e:e7:85:c4:f0:dc:dc:20:26:84:91:69:e8:cf:3b:27:9f:
35:36:cc:ff
-----BEGIN CERTIFICATE-----
MIIDIjCCAgqgAwIBAgIBBzANBgkqhkiG9w0BAQsFADBWMQ8wDQYDVQQDDAZjYWNl
cnQxCzAJBgNVBAYTAkZJMREwDwYDVQQIDAhIZWxzaW5raTERMA8GA1UEBwwISGVs
c2lua2kxEDAOBgNVBAoMB01hcmlhREIwHhcNMTgxMjExMTcxMzU5WhcNMzgxMjA3
MTcxMzU5WjBaMQswCQYDVQQGEwJGSTERMA8GA1UECAwISGVsc2lua2kxETAPBgNV
BAcMCEhlbHNpbmtpMRAwDgYDVQQKDAdNYXJpYURCMRMwEQYDVQQDDApzZXJ2ZXIt
bmV3MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDJQDPX+7eivE7UZScaydqL
LvypYBpp6P3jE3i2CDs+/dOw02yheb2Fyr6hCk4q7iyN2nLmhVbsOnxGo9MY5xkZ
jRR+3tKkLyJWHCEDJPYtVU5JJZ8yAZRmR+T6+kWxtzMm2vHHKTu6/ujU8fwpV2s6
vu8uHdrvCtdUjWcAe3opKwIDAQABo3sweTAJBgNVHRMEAjAAMCwGCWCGSAGG+EIB
DQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQU/0Je
iKxqyIBjqK8gxr7opALVQq8wHwYDVR0jBBgwFoAUHMcrqhuxuy6a9A+xhmBXOMJB
BRIwDQYJKoZIhvcNAQELBQADggEBAHzMwZNDg6nqGZ0cofjhwWFYwNvvQ27Xz011
OG7LAyVdIa8DsYZfs9Hib4yJVbeCasDWRggMaJ3vzC559dgL8hM6UswI1Trw2Fye
hac4MZ18YStZ7sAWphbdgOLvlj2wE+ybmpFpP2xGhwVVtzKFUdoCw6wtw16aUfiW
dQtjKU5HR/GCpq1EPVGzGYuuJqkVoHO2cG5Pcp1pTrKbKqhQh7ifwKc3D568TIC5
uEcojjPDf9f+MfCpHHr3ozQh1ORThqN+HRynZfvs+R8XHk8Z+f7d7lMPtZi3eu8S
bI0yeGalQtc9pQn4BgWk/71O54XE8NzcICaEkWnozzsnnzU2zP8=
-----END CERTIFICATE-----

15
mysql-test/std_data/server-new-key.pem Normal file
View File

@ -0,0 +1,15 @@
-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQDJQDPX+7eivE7UZScaydqLLvypYBpp6P3jE3i2CDs+/dOw02yh
eb2Fyr6hCk4q7iyN2nLmhVbsOnxGo9MY5xkZjRR+3tKkLyJWHCEDJPYtVU5JJZ8y
AZRmR+T6+kWxtzMm2vHHKTu6/ujU8fwpV2s6vu8uHdrvCtdUjWcAe3opKwIDAQAB
AoGBAKlH3dPxIdg6+TvjEe+Qlsm4bkKyWcV4fAaDnGfRqLQloej9DkUNOAPQNGUV
XAb0bHmtpDSPODxgPaTVrH0n9o1tTXrfIijSM7zm0Ub2H7YPMNMUSae+9K3bdXoL
aHjlYYXBXULa093nXOXNmjX17pBKUmiAkKCoqxTMx9QGW8rRAkEA/aqjdIrbaEJd
Mky4bLzaSZITls/8+LPekUpH+TXdjgSMMaDxd4OXAnA34fssPOhsD8yzgeo2XZZj
Snk4wfBHrwJBAMsaITNwvAXj3joX/eTD4Q/FcwdaPt4dL2BS13uJrva/TZGEAnOn
n5nu2exZDslxyoKA5SBl2oZbhtCAA1elWUUCQQCeo8rZpcWVrHtQa76i8nCpthte
I/EXMJYu0v+0EUXf/WQX3YllrvwP4FJyl3yREuIR93kD9I/Pc6/g8XLXhwetAkB1
VG8BrIqyTGVA4kNGOPJ3jfVZtgTDg9CusKzTLULqQLGq8rwH3DoTTyyNoRUtwpLe
uV+kS7LmE1HaeVl09IyRAkBXb/5p2D+Dfb/3/mx5/YuFNwB07sY+H0CrzO1qSo62
q0nzNK3/irTzqtuerwy/YkBTz/T75GePIK4P0b9elNlb
-----END RSA PRIVATE KEY-----

2
mysql-test/suite/perfschema/r/dml_setup_instruments.result
View File

@ -22,13 +22,13 @@ NAME ENABLED TIMED
wait/synch/rwlock/sql/LOCK_dboptions YES YES
wait/synch/rwlock/sql/LOCK_grant YES YES
wait/synch/rwlock/sql/LOCK_SEQUENCE YES YES
wait/synch/rwlock/sql/LOCK_ssl_refresh YES YES
wait/synch/rwlock/sql/LOCK_system_variables_hash YES YES
wait/synch/rwlock/sql/LOCK_sys_init_connect YES YES
wait/synch/rwlock/sql/LOCK_sys_init_slave YES YES
wait/synch/rwlock/sql/LOGGER::LOCK_logger YES YES
wait/synch/rwlock/sql/MDL_context::LOCK_waiting_for YES YES
wait/synch/rwlock/sql/MDL_lock::rwlock YES YES
wait/synch/rwlock/sql/Query_cache_query::lock YES YES
select * from performance_schema.setup_instruments
where name like 'Wait/Synch/Cond/sql/%'
and name not in (

309
sql/mysqld.cc
View File

@ -770,6 +770,7 @@ mysql_mutex_t LOCK_prepared_stmt_count;
mysql_mutex_t LOCK_des_key_file;
#endif
mysql_rwlock_t LOCK_grant, LOCK_sys_init_connect, LOCK_sys_init_slave;
mysql_rwlock_t LOCK_ssl_refresh;
mysql_prlock_t LOCK_system_variables_hash;
mysql_cond_t COND_thread_count, COND_start_thread;
pthread_t signal_thread;
@ -1033,7 +1034,8 @@ PSI_rwlock_key key_rwlock_LOCK_grant, key_rwlock_LOCK_logger,
key_rwlock_LOCK_sys_init_connect, key_rwlock_LOCK_sys_init_slave,
key_rwlock_LOCK_system_variables_hash, key_rwlock_query_cache_query_lock,
key_LOCK_SEQUENCE,
key_rwlock_LOCK_vers_stats, key_rwlock_LOCK_stat_serial;
key_rwlock_LOCK_vers_stats, key_rwlock_LOCK_stat_serial,
key_rwlock_LOCK_ssl_refresh;
static PSI_rwlock_info all_server_rwlocks[]=
{
@ -1048,7 +1050,8 @@ static PSI_rwlock_info all_server_rwlocks[]=
{ &key_rwlock_LOCK_system_variables_hash, "LOCK_system_variables_hash", PSI_FLAG_GLOBAL},
{ &key_rwlock_query_cache_query_lock, "Query_cache_query::lock", 0},
{ &key_rwlock_LOCK_vers_stats, "Vers_field_stats::lock", 0},
{ &key_rwlock_LOCK_stat_serial, "TABLE_SHARE::LOCK_stat_serial", 0}
{ &key_rwlock_LOCK_stat_serial, "TABLE_SHARE::LOCK_stat_serial", 0},
{ &key_rwlock_LOCK_ssl_refresh, "LOCK_ssl_refresh", PSI_FLAG_GLOBAL }
};
#ifdef HAVE_MMAP
@ -2276,6 +2279,7 @@ static void clean_up_mutexes()
mysql_mutex_destroy(&LOCK_rpl_status);
#endif /* HAVE_REPLICATION */
mysql_mutex_destroy(&LOCK_active_mi);
mysql_rwlock_destroy(&LOCK_ssl_refresh);
mysql_rwlock_destroy(&LOCK_sys_init_connect);
mysql_rwlock_destroy(&LOCK_sys_init_slave);
mysql_mutex_destroy(&LOCK_global_system_variables);
@ -4688,6 +4692,7 @@ static int init_thread_environment()
#endif /* HAVE_OPENSSL */
mysql_rwlock_init(key_rwlock_LOCK_sys_init_connect, &LOCK_sys_init_connect);
mysql_rwlock_init(key_rwlock_LOCK_sys_init_slave, &LOCK_sys_init_slave);
mysql_rwlock_init(key_rwlock_LOCK_ssl_refresh, &LOCK_ssl_refresh);
mysql_rwlock_init(key_rwlock_LOCK_grant, &LOCK_grant);
mysql_cond_init(key_COND_thread_count, &COND_thread_count, NULL);
mysql_cond_init(key_COND_thread_cache, &COND_thread_cache, NULL);
@ -4781,6 +4786,60 @@ static void openssl_lock(int mode, openssl_lock_t *lock, const char *file,
}
#endif /* HAVE_OPENSSL10 */
struct SSL_ACCEPTOR_STATS
{
long accept;
long accept_good;
long cache_size;
long verify_mode;
long verify_depth;
long zero;
const char *session_cache_mode;
SSL_ACCEPTOR_STATS():
accept(),accept_good(),cache_size(),verify_mode(),verify_depth(),zero(),
session_cache_mode("NONE")
{
}
void init()
{
DBUG_ASSERT(ssl_acceptor_fd !=0 && ssl_acceptor_fd->ssl_context != 0);
SSL_CTX *ctx= ssl_acceptor_fd->ssl_context;
accept= 0;
accept_good= 0;
verify_mode= SSL_CTX_get_verify_mode(ctx);
verify_depth= SSL_CTX_get_verify_depth(ctx);
cache_size= SSL_CTX_sess_get_cache_size(ctx);
switch (SSL_CTX_get_session_cache_mode(ctx))
{
case SSL_SESS_CACHE_OFF:
session_cache_mode= "OFF"; break;
case SSL_SESS_CACHE_CLIENT:
session_cache_mode= "CLIENT"; break;
case SSL_SESS_CACHE_SERVER:
session_cache_mode= "SERVER"; break;
case SSL_SESS_CACHE_BOTH:
session_cache_mode= "BOTH"; break;
case SSL_SESS_CACHE_NO_AUTO_CLEAR:
session_cache_mode= "NO_AUTO_CLEAR"; break;
case SSL_SESS_CACHE_NO_INTERNAL_LOOKUP:
session_cache_mode= "NO_INTERNAL_LOOKUP"; break;
default:
session_cache_mode= "Unknown"; break;
}
}
};
static SSL_ACCEPTOR_STATS ssl_acceptor_stats;
void ssl_acceptor_stats_update(int sslaccept_ret)
{
statistic_increment(ssl_acceptor_stats.accept, &LOCK_status);
if (!sslaccept_ret)
statistic_increment(ssl_acceptor_stats.accept_good,&LOCK_status);
}
static void init_ssl()
{
#if defined(HAVE_OPENSSL) && !defined(EMBEDDED_LIBRARY)
@ -4801,6 +4860,9 @@ static void init_ssl()
opt_use_ssl = 0;
have_ssl= SHOW_OPTION_DISABLED;
}
else
ssl_acceptor_stats.init();
if (global_system_variables.log_warnings > 0)
{
ulong err;
@ -4819,6 +4881,34 @@ static void init_ssl()
#endif /* HAVE_OPENSSL && ! EMBEDDED_LIBRARY */
}
/* Reinitialize SSL (FLUSH SSL) */
int reinit_ssl()
{
#if defined(HAVE_OPENSSL) && !defined(EMBEDDED_LIBRARY)
if (!opt_use_ssl)
return 0;
enum enum_ssl_init_error error = SSL_INITERR_NOERROR;
st_VioSSLFd *new_fd = new_VioSSLAcceptorFd(opt_ssl_key, opt_ssl_cert,
opt_ssl_ca, opt_ssl_capath, opt_ssl_cipher, &error, opt_ssl_crl, opt_ssl_crlpath);
if (!new_fd)
{
my_printf_error(ER_UNKNOWN_ERROR, "Failed to refresh SSL, error: %s", MYF(0),
sslGetErrString(error));
#ifndef HAVE_YASSL
ERR_clear_error();
#endif
return 1;
}
mysql_rwlock_wrlock(&LOCK_ssl_refresh);
free_vio_ssl_acceptor_fd(ssl_acceptor_fd);
ssl_acceptor_fd= new_fd;
ssl_acceptor_stats.init();
mysql_rwlock_unlock(&LOCK_ssl_refresh);
return 0;
#endif
}
static void end_ssl()
{
@ -7441,187 +7531,6 @@ static int show_flush_commands(THD *thd, SHOW_VAR *var, char *buff,
#if defined(HAVE_OPENSSL) && !defined(EMBEDDED_LIBRARY)
/* Functions relying on CTX */
static int show_ssl_ctx_sess_accept(THD *thd, SHOW_VAR *var, char *buff,
enum enum_var_type scope)
{
var->type= SHOW_LONG;
var->value= buff;
*((long *)buff)= (!ssl_acceptor_fd ? 0 :
SSL_CTX_sess_accept(ssl_acceptor_fd->ssl_context));
return 0;
}
static int show_ssl_ctx_sess_accept_good(THD *thd, SHOW_VAR *var, char *buff,
enum enum_var_type scope)
{
var->type= SHOW_LONG;
var->value= buff;
*((long *)buff)= (!ssl_acceptor_fd ? 0 :
SSL_CTX_sess_accept_good(ssl_acceptor_fd->ssl_context));
return 0;
}
static int show_ssl_ctx_sess_connect_good(THD *thd, SHOW_VAR *var, char *buff,
enum enum_var_type scope)
{
var->type= SHOW_LONG;
var->value= buff;
*((long *)buff)= (!ssl_acceptor_fd ? 0 :
SSL_CTX_sess_connect_good(ssl_acceptor_fd->ssl_context));
return 0;
}
static int show_ssl_ctx_sess_accept_renegotiate(THD *thd, SHOW_VAR *var,
char *buff,
enum enum_var_type scope)
{
var->type= SHOW_LONG;
var->value= buff;
*((long *)buff)= (!ssl_acceptor_fd ? 0 :
SSL_CTX_sess_accept_renegotiate(ssl_acceptor_fd->ssl_context));
return 0;
}
static int show_ssl_ctx_sess_connect_renegotiate(THD *thd, SHOW_VAR *var,
char *buff,
enum enum_var_type scope)
{
var->type= SHOW_LONG;
var->value= buff;
*((long *)buff)= (!ssl_acceptor_fd ? 0 :
SSL_CTX_sess_connect_renegotiate(ssl_acceptor_fd->ssl_context));
return 0;
}
static int show_ssl_ctx_sess_cb_hits(THD *thd, SHOW_VAR *var, char *buff,
enum enum_var_type scope)
{
var->type= SHOW_LONG;
var->value= buff;
*((long *)buff)= (!ssl_acceptor_fd ? 0 :
SSL_CTX_sess_cb_hits(ssl_acceptor_fd->ssl_context));
return 0;
}
static int show_ssl_ctx_sess_hits(THD *thd, SHOW_VAR *var, char *buff,
enum enum_var_type scope)
{
var->type= SHOW_LONG;
var->value= buff;
*((long *)buff)= (!ssl_acceptor_fd ? 0 :
SSL_CTX_sess_hits(ssl_acceptor_fd->ssl_context));
return 0;
}
static int show_ssl_ctx_sess_cache_full(THD *thd, SHOW_VAR *var, char *buff,
enum enum_var_type scope)
{
var->type= SHOW_LONG;
var->value= buff;
*((long *)buff)= (!ssl_acceptor_fd ? 0 :
SSL_CTX_sess_cache_full(ssl_acceptor_fd->ssl_context));
return 0;
}
static int show_ssl_ctx_sess_misses(THD *thd, SHOW_VAR *var, char *buff,
enum enum_var_type scope)
{
var->type= SHOW_LONG;
var->value= buff;
*((long *)buff)= (!ssl_acceptor_fd ? 0 :
SSL_CTX_sess_misses(ssl_acceptor_fd->ssl_context));
return 0;
}
static int show_ssl_ctx_sess_timeouts(THD *thd, SHOW_VAR *var, char *buff,
enum enum_var_type scope)
{
var->type= SHOW_LONG;
var->value= buff;
*((long *)buff)= (!ssl_acceptor_fd ? 0 :
SSL_CTX_sess_timeouts(ssl_acceptor_fd->ssl_context));
return 0;
}
static int show_ssl_ctx_sess_number(THD *thd, SHOW_VAR *var, char *buff,
enum enum_var_type scope)
{
var->type= SHOW_LONG;
var->value= buff;
*((long *)buff)= (!ssl_acceptor_fd ? 0 :
SSL_CTX_sess_number(ssl_acceptor_fd->ssl_context));
return 0;
}
static int show_ssl_ctx_sess_connect(THD *thd, SHOW_VAR *var, char *buff,
enum enum_var_type scope)
{
var->type= SHOW_LONG;
var->value= buff;
*((long *)buff)= (!ssl_acceptor_fd ? 0 :
SSL_CTX_sess_connect(ssl_acceptor_fd->ssl_context));
return 0;
}
static int show_ssl_ctx_sess_get_cache_size(THD *thd, SHOW_VAR *var,
char *buff,
enum enum_var_type scope)
{
var->type= SHOW_LONG;
var->value= buff;
*((long *)buff)= (!ssl_acceptor_fd ? 0 :
SSL_CTX_sess_get_cache_size(ssl_acceptor_fd->ssl_context));
return 0;
}
static int show_ssl_ctx_get_verify_mode(THD *thd, SHOW_VAR *var, char *buff,
enum enum_var_type scope)
{
var->type= SHOW_LONG;
var->value= buff;
*((long *)buff)= (!ssl_acceptor_fd ? 0 :
SSL_CTX_get_verify_mode(ssl_acceptor_fd->ssl_context));
return 0;
}
static int show_ssl_ctx_get_verify_depth(THD *thd, SHOW_VAR *var, char *buff,
enum enum_var_type scope)
{
var->type= SHOW_LONG;
var->value= buff;
*((long *)buff)= (!ssl_acceptor_fd ? 0 :
SSL_CTX_get_verify_depth(ssl_acceptor_fd->ssl_context));
return 0;
}
static int show_ssl_ctx_get_session_cache_mode(THD *thd, SHOW_VAR *var,
char *buff,
enum enum_var_type scope)
{
var->type= SHOW_CHAR;
if (!ssl_acceptor_fd)
var->value= const_cast<char*>("NONE");
else
switch (SSL_CTX_get_session_cache_mode(ssl_acceptor_fd->ssl_context))
{
case SSL_SESS_CACHE_OFF:
var->value= const_cast<char*>("OFF"); break;
case SSL_SESS_CACHE_CLIENT:
var->value= const_cast<char*>("CLIENT"); break;
case SSL_SESS_CACHE_SERVER:
var->value= const_cast<char*>("SERVER"); break;
case SSL_SESS_CACHE_BOTH:
var->value= const_cast<char*>("BOTH"); break;
case SSL_SESS_CACHE_NO_AUTO_CLEAR:
var->value= const_cast<char*>("NO_AUTO_CLEAR"); break;
case SSL_SESS_CACHE_NO_INTERNAL_LOOKUP:
var->value= const_cast<char*>("NO_INTERNAL_LOOKUP"); break;
default:
var->value= const_cast<char*>("Unknown"); break;
}
return 0;
}
/*
Functions relying on SSL
@ -8126,28 +8035,28 @@ SHOW_VAR status_vars[]= {
{"Sort_scan", (char*) offsetof(STATUS_VAR, filesort_scan_count_), SHOW_LONG_STATUS},
#ifdef HAVE_OPENSSL
#ifndef EMBEDDED_LIBRARY
{"Ssl_accept_renegotiates", (char*) &show_ssl_ctx_sess_accept_renegotiate, SHOW_SIMPLE_FUNC},
{"Ssl_accepts", (char*) &show_ssl_ctx_sess_accept, SHOW_SIMPLE_FUNC},
{"Ssl_callback_cache_hits", (char*) &show_ssl_ctx_sess_cb_hits, SHOW_SIMPLE_FUNC},
{"Ssl_accept_renegotiates", (char*) &ssl_acceptor_stats.zero, SHOW_LONG},
{"Ssl_accepts", (char*) &ssl_acceptor_stats.accept, SHOW_LONG},
{"Ssl_callback_cache_hits", (char*) &ssl_acceptor_stats.zero, SHOW_LONG},
{"Ssl_cipher", (char*) &show_ssl_get_cipher, SHOW_SIMPLE_FUNC},
{"Ssl_cipher_list", (char*) &show_ssl_get_cipher_list, SHOW_SIMPLE_FUNC},
{"Ssl_client_connects", (char*) &show_ssl_ctx_sess_connect, SHOW_SIMPLE_FUNC},
{"Ssl_connect_renegotiates", (char*) &show_ssl_ctx_sess_connect_renegotiate, SHOW_SIMPLE_FUNC},
{"Ssl_ctx_verify_depth", (char*) &show_ssl_ctx_get_verify_depth, SHOW_SIMPLE_FUNC},
{"Ssl_ctx_verify_mode", (char*) &show_ssl_ctx_get_verify_mode, SHOW_SIMPLE_FUNC},
{"Ssl_client_connects", (char*) &ssl_acceptor_stats.zero, SHOW_LONG},
{"Ssl_connect_renegotiates", (char*) &ssl_acceptor_stats.zero, SHOW_LONG},
{"Ssl_ctx_verify_depth", (char*) &ssl_acceptor_stats.verify_depth, SHOW_LONG},
{"Ssl_ctx_verify_mode", (char*) &ssl_acceptor_stats.verify_mode, SHOW_LONG},
{"Ssl_default_timeout", (char*) &show_ssl_get_default_timeout, SHOW_SIMPLE_FUNC},
{"Ssl_finished_accepts", (char*) &show_ssl_ctx_sess_accept_good, SHOW_SIMPLE_FUNC},
{"Ssl_finished_connects", (char*) &show_ssl_ctx_sess_connect_good, SHOW_SIMPLE_FUNC},
{"Ssl_finished_accepts", (char*) &ssl_acceptor_stats.accept_good, SHOW_LONG},
{"Ssl_finished_connects", (char*) &ssl_acceptor_stats.zero, SHOW_LONG},
{"Ssl_server_not_after", (char*) &show_ssl_get_server_not_after, SHOW_SIMPLE_FUNC},
{"Ssl_server_not_before", (char*) &show_ssl_get_server_not_before, SHOW_SIMPLE_FUNC},
{"Ssl_session_cache_hits", (char*) &show_ssl_ctx_sess_hits, SHOW_SIMPLE_FUNC},
{"Ssl_session_cache_misses", (char*) &show_ssl_ctx_sess_misses, SHOW_SIMPLE_FUNC},
{"Ssl_session_cache_mode", (char*) &show_ssl_ctx_get_session_cache_mode, SHOW_SIMPLE_FUNC},
{"Ssl_session_cache_overflows", (char*) &show_ssl_ctx_sess_cache_full, SHOW_SIMPLE_FUNC},
{"Ssl_session_cache_size", (char*) &show_ssl_ctx_sess_get_cache_size, SHOW_SIMPLE_FUNC},
{"Ssl_session_cache_timeouts", (char*) &show_ssl_ctx_sess_timeouts, SHOW_SIMPLE_FUNC},
{"Ssl_sessions_reused", (char*) &show_ssl_session_reused, SHOW_SIMPLE_FUNC},
{"Ssl_used_session_cache_entries",(char*) &show_ssl_ctx_sess_number, SHOW_SIMPLE_FUNC},
{"Ssl_session_cache_hits", (char*) &ssl_acceptor_stats.zero, SHOW_LONG},
{"Ssl_session_cache_misses", (char*) &ssl_acceptor_stats.zero, SHOW_LONG},
{"Ssl_session_cache_mode", (char*) &ssl_acceptor_stats.session_cache_mode, SHOW_CHAR_PTR},
{"Ssl_session_cache_overflows", (char*) &ssl_acceptor_stats.zero, SHOW_LONG},
{"Ssl_session_cache_size", (char*) &ssl_acceptor_stats.cache_size, SHOW_LONG},
{"Ssl_session_cache_timeouts", (char*) &ssl_acceptor_stats.zero, SHOW_LONG},
{"Ssl_sessions_reused", (char*) &ssl_acceptor_stats.zero, SHOW_LONG},
{"Ssl_used_session_cache_entries",(char*) &ssl_acceptor_stats.zero, SHOW_LONG},
{"Ssl_verify_depth", (char*) &show_ssl_get_verify_depth, SHOW_SIMPLE_FUNC},
{"Ssl_verify_mode", (char*) &show_ssl_get_verify_mode, SHOW_SIMPLE_FUNC},
{"Ssl_version", (char*) &show_ssl_get_version, SHOW_SIMPLE_FUNC},

4
sql/mysqld.h
View File

@ -96,6 +96,9 @@ extern void init_net_server_extension(THD *thd);
extern void handle_accepted_socket(MYSQL_SOCKET new_sock, MYSQL_SOCKET sock);
extern void create_new_thread(CONNECT *connect);
extern void ssl_acceptor_stats_update(int sslaccept_ret);
extern int reinit_ssl();
extern "C" MYSQL_PLUGIN_IMPORT CHARSET_INFO *system_charset_info;
extern MYSQL_PLUGIN_IMPORT CHARSET_INFO *files_charset_info ;
extern MYSQL_PLUGIN_IMPORT CHARSET_INFO *national_charset_info;
@ -633,6 +636,7 @@ extern mysql_mutex_t LOCK_des_key_file;
extern mysql_mutex_t LOCK_server_started;
extern mysql_cond_t COND_server_started;
extern mysql_rwlock_t LOCK_grant, LOCK_sys_init_connect, LOCK_sys_init_slave;
extern mysql_rwlock_t LOCK_ssl_refresh;
extern mysql_prlock_t LOCK_system_variables_hash;
extern mysql_cond_t COND_thread_count, COND_start_thread;
extern mysql_cond_t COND_manager;

7
sql/sql_acl.cc
View File

@ -12641,7 +12641,12 @@ static ulong parse_client_handshake_packet(MPVIO_EXT *mpvio,
return packet_error;
DBUG_PRINT("info", ("IO layer change in progress..."));
if (sslaccept(ssl_acceptor_fd, net->vio, net->read_timeout, &errptr))
mysql_rwlock_rdlock(&LOCK_ssl_refresh);
int ssl_ret = sslaccept(ssl_acceptor_fd, net->vio, net->read_timeout, &errptr);
mysql_rwlock_unlock(&LOCK_ssl_refresh);
ssl_acceptor_stats_update(ssl_ret);
if(ssl_ret)
{
DBUG_PRINT("error", ("Failed to accept new SSL connection"));
return packet_error;

5
sql/sql_reload.cc
View File

@ -416,6 +416,11 @@ bool reload_acl_and_cache(THD *thd, unsigned long long options,
#endif
if (options & REFRESH_USER_RESOURCES)
reset_mqh((LEX_USER *) NULL, 0); /* purecov: inspected */
if (options & REFRESH_SSL)
{
if (reinit_ssl())
result= 1;
}
if (options & REFRESH_GENERIC)
{
List_iterator_fast<LEX_CSTRING> li(thd->lex->view_list);

2
sql/sql_yacc.yy
View File

@ -14486,6 +14486,8 @@ flush_option:
{ Lex->type|= REFRESH_DES_KEY_FILE; }
| RESOURCES
{ Lex->type|= REFRESH_USER_RESOURCES; }
| SSL_SYM
{ Lex->type|= REFRESH_SSL;}
| IDENT_sys remember_tok_start
{
Lex->type|= REFRESH_GENERIC;

2
sql/sql_yacc_ora.yy
View File

@ -14541,6 +14541,8 @@ flush_option:
{ Lex->type|= REFRESH_DES_KEY_FILE; }
| RESOURCES
{ Lex->type|= REFRESH_USER_RESOURCES; }
| SSL_SYM
{ Lex->type|= REFRESH_SSL;}
| IDENT_sys remember_tok_start
{
Lex->type|= REFRESH_GENERIC;